Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) forms part of the DATAx Terms of Service (the “Agreement”) between ContractorCTO LLC (“DATAx”, “Processor”, “we”, “us”, or “our”) and Customer (“Controller”, “you”, or “your”).

This DPA applies to the extent that DATAx processes Personal Data (as defined below) on behalf of Customer in the course of providing the Service, and such Personal Data is subject to Data Protection Laws, including the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR, the California Consumer Privacy Act (“CCPA”), and other applicable privacy and data protection legislation.

1. Definitions

For the purposes of this DPA:

• “Data Protection Laws” means all applicable laws and regulations relating to the processing, privacy, and use of Personal Data, including but not limited to the GDPR, UK GDPR, CCPA, and other similar legislation.
• “Personal Data” means any information relating to an identified or identifiable natural person contained within Customer Data that is subject to Data Protection Laws.
• “Processing” (and related terms such as “Process” and “Processed”) means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
• “Controller”, “Processor”, “Data Subject”, “Supervisory Authority”, and “Personal Data Breach” have the meanings given in applicable Data Protection Laws.
• “Sub-processor” means any Processor engaged by DATAx to Process Personal Data in connection with the Service.
• “Standard Contractual Clauses” or “SCCs” means the European Commission's Standard Contractual Clauses for the transfer of personal data to processors established in third countries (Module Two: Controller to Processor), as updated or replaced from time to time.

2. Scope and Roles

2.1 Parties' Roles

The parties acknowledge and agree that:

• Customer is the Controller of Personal Data and determines the purposes and means of Processing Personal Data
• DATAx is the Processor and Processes Personal Data only on behalf of and in accordance with Customer's documented instructions
• Customer is solely responsible for compliance with its obligations as a Controller under Data Protection Laws
• This DPA applies only to Personal Data that DATAx Processes on behalf of Customer as a Processor; it does not apply to data for which DATAx is a Controller (such as account registration and billing information)

2.2 Customer Instructions

DATAx will Process Personal Data only in accordance with Customer's documented instructions, which consist of:

• Instructions to provide the Service as described in the Agreement
• Other written instructions issued by Customer that are consistent with the Agreement and accepted by DATAx
• Actions taken by Customer and Authorized Users through the Service interface

DATAx will inform Customer if, in DATAx's opinion, an instruction from Customer infringes Data Protection Laws, unless prohibited by law from doing so.

2.3 Nature and Purpose of Processing

DATAx Processes Personal Data for the following purposes:

• Providing the Service as described in the Agreement
• Maintaining and supporting the Service
• Complying with applicable laws and legal obligations
• Enforcing the Agreement

2.4 Types of Personal Data

The Personal Data Processed under this DPA may include, depending on how Customer uses the Service:

• Contact information (names, email addresses, phone numbers, postal addresses)
• Identification data (user IDs, account credentials)
• Professional information (job titles, company names, business details)
• Project and construction data (job information, client details, vendor information)
• Financial information (invoices, payment records, billing information)
• Communications data (messages, comments, attachments)
• Technical data (IP addresses, device information, usage logs)
• Any other data uploaded by Customer or Authorized Users to the Service

2.5 Categories of Data Subjects

The Data Subjects whose Personal Data may be Processed include:

• Customer's employees, contractors, and representatives
• Customer's clients and prospective clients
• Customer's vendors, suppliers, and subcontractors
• End users of Customer's services
• Any other individuals whose Personal Data is uploaded to the Service by Customer

3. DATAx's Obligations as Processor

3.1 Compliance with Laws

DATAx will comply with all applicable Data Protection Laws in its Processing of Personal Data under this DPA.

3.2 Confidentiality

DATAx will ensure that all persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Security Measures

DATAx will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including but not limited to:

• Encryption of Personal Data in transit and at rest
• Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
• Ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident
• Regular testing, assessment, and evaluation of the effectiveness of technical and organizational measures
• Measures to identify vulnerabilities with regard to the Processing of Personal Data in systems used to provide the Service

The specific security measures are described in the Security Policy available upon request.

3.4 Sub-processors

Customer consents to DATAx engaging Sub-processors to Process Personal Data. DATAx maintains a current list of Sub-processors at winyourdata.com/subprocessors.

DATAx will:

• Provide at least 30 days' notice before adding or replacing a Sub-processor
• Impose data protection obligations on Sub-processors that are substantially the same as those in this DPA
• Remain fully liable to Customer for the performance of any Sub-processor's obligations

If Customer objects to a new Sub-processor on reasonable data protection grounds, Customer may terminate the affected Service and receive a pro-rata refund of prepaid fees.

3.5 Data Subject Rights

Taking into account the nature of the Processing, DATAx will assist Customer by implementing appropriate technical and organizational measures, insofar as possible, to fulfill Customer's obligation to respond to requests from Data Subjects exercising their rights under Data Protection Laws, including rights to:

• Access their Personal Data
• Rectify inaccurate Personal Data
• Erase Personal Data (“right to be forgotten”)
• Restrict Processing of Personal Data
• Data portability
• Object to Processing

If DATAx receives a request directly from a Data Subject, DATAx will promptly inform Customer and will not respond to the request without Customer's prior written authorization, except to inform the Data Subject that they should submit their request to Customer.

3.6 Personal Data Breaches

DATAx will notify Customer without undue delay and as required by applicable data protection laws after becoming aware of a Personal Data Breach affecting Personal Data. The notification will include, to the extent available:

• Description of the nature of the Personal Data Breach
• Categories and approximate number of affected Data Subjects and Personal Data records
• Contact point for more information
• Description of the likely consequences of the Personal Data Breach
• Description of measures taken or proposed to address the Personal Data Breach and mitigate its adverse effects

DATAx will cooperate with Customer and take reasonable steps to remediate the Personal Data Breach to the extent within DATAx's control.

3.7 Data Protection Impact Assessments and Prior Consultation

To the extent required under Data Protection Laws, DATAx will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with Supervisory Authorities, taking into account the nature of Processing and information available to DATAx.

3.8 Deletion or Return of Personal Data

Upon termination or expiration of the Agreement, DATAx will, at Customer's election:

• Delete all Personal Data in accordance with the data retention terms in the Agreement, or
• Return all Personal Data to Customer in commonly used formats (JSON, CSV, or other formats as available)

DATAx may retain Personal Data to the extent required by applicable law or in backup systems for up to 90 days, provided that DATAx will ensure the confidentiality of such Personal Data and will only Process it for purposes of complying with legal obligations.

3.9 Audits and Inspections

DATAx will make available to Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, by Customer or an auditor mandated by Customer.

Customer may conduct audits (including inspections) no more than once per year, upon reasonable advance notice, during regular business hours, and in a manner that does not unreasonably interfere with DATAx's operations. Customer will be responsible for the costs of any such audit.

DATAx may also make available third-party audit reports (e.g., SOC 2, ISO 27001) in lieu of Customer audits, subject to confidentiality obligations.

4. Customer's Obligations as Controller

Customer represents and warrants that:

• Customer has and will maintain all necessary rights, consents, and lawful bases to collect and provide Personal Data to DATAx for Processing under this DPA
• Customer has provided all necessary privacy notices to Data Subjects and obtained all required consents
• Customer's instructions to DATAx comply with all applicable Data Protection Laws
• Customer will comply with its obligations as a Controller under Data Protection Laws
• Customer is solely responsible for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data

5. International Data Transfers

5.1 Data Transfers from the EEA, UK, and Switzerland

To the extent that DATAx Processes Personal Data that is protected by the GDPR or UK GDPR and that is transferred outside the European Economic Area, United Kingdom, or Switzerland, the parties agree that such transfers will be governed by the Standard Contractual Clauses, which are incorporated by reference and deemed executed by the parties.

For purposes of the Standard Contractual Clauses:

• Module Two (Controller to Processor) applies
• Customer is the “data exporter” and DATAx is the “data importer”
• The optional docking clause in Clause 7 applies
• Option 2 of Clause 9(a) (prior specific authorization) applies for Sub-processors
• Option 1 applies for Clause 11 (Redress): Data Subjects may lodge complaints with the supervisory authority in the country of their habitual residence
• The optional language in Clause 17 (Governing Law) and Clause 18 (Choice of Forum and Jurisdiction) does not apply; the laws of Ireland and courts of Ireland will apply
• Annex I, II, and III of the SCCs are completed with the information in this DPA

5.2 Alternative Transfer Mechanisms

To the extent that DATAx implements alternative or additional data transfer mechanisms recognized under Data Protection Laws (such as EU-US Data Privacy Framework certification or adequacy decisions), Customer agrees that such mechanisms may also apply to data transfers under this DPA.

5.3 Data Locations

Personal Data will be primarily stored and Processed in data centers located in the United States. DATAx may transfer Personal Data to other locations where DATAx, its affiliates, or Sub-processors maintain facilities, subject to the safeguards described in this Section 5.

6. Liability and Indemnification

6.1 Liability

Each party's liability arising out of or related to this DPA will be subject to the limitations of liability set forth in the Agreement. For the avoidance of doubt, DATAx's total aggregate liability to Customer for all claims arising out of or related to this DPA will be limited as specified in the Agreement.

6.2 GDPR Article 82 Liability

Notwithstanding any provision to the contrary, each party's liability under this DPA to Data Subjects will be as set forth in Article 82 of the GDPR (or equivalent provisions of other Data Protection Laws), and DATAx's total aggregate liability to Data Subjects will not be limited where such limitation is prohibited by applicable law.

7. Term and Termination

This DPA will commence on the date Customer first uses the Service and will remain in effect until the termination or expiration of the Agreement. Upon termination, the data deletion and return provisions in Section 3.8 will apply.

8. General Provisions

8.1 Relationship to Agreement

This DPA is incorporated into and forms part of the Agreement. In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA will prevail to the extent of the conflict, but only with respect to the subject matter of this DPA.

8.2 Amendments

DATAx may update this DPA from time to time to reflect changes in Data Protection Laws, industry standards, or DATAx's data processing practices. DATAx will provide notice of material changes as required by the Agreement. Continued use of the Service after such notice constitutes acceptance of the updated DPA.

8.3 Severability

If any provision of this DPA is held invalid or unenforceable, the remainder of this DPA will remain in full force and effect, and the invalid or unenforceable provision will be replaced with a valid and enforceable provision that most closely achieves the intent of the original provision.

8.4 Governing Law

This DPA (excluding the Standard Contractual Clauses, which have their own governing law provisions) will be governed by the same law that governs the Agreement.

Annex I: Details of Processing (for SCCs)

A. List of Parties

B. Description of Transfer

As described in Section 2 of this DPA.

C. Competent Supervisory Authority

The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer.

Annex II: Technical and Organizational Measures (for SCCs)

DATAx implements the technical and organizational measures described in Section 3.3 of this DPA and in the Security Policy available upon request, including:

Measures of Pseudonymization and Encryption

• TLS 1.2+ encryption for data in transit
• AES-256 encryption for data at rest
• Hashed and salted password storage

Measures for Ensuring Ongoing Confidentiality, Integrity, Availability, and Resilience

• Role-based access controls
• Multi-factor authentication
• Regular security assessments and penetration testing
• Network firewalls and intrusion detection systems
• Automated backups and disaster recovery procedures
• Redundant infrastructure across multiple availability zones

Measures for Ensuring Events Logging

• Comprehensive audit logs of access and activities
• Security information and event management (SIEM) systems
• Log retention and analysis

Measures for Ensuring System Configuration

• Hardened system configurations following industry best practices
• Regular security updates and patch management
• Vulnerability scanning and remediation

Measures for Internal IT and IT Security Governance

• Information security policies and procedures
• Employee security training and awareness programs
• Background checks for personnel with access to Personal Data
• Incident response and breach notification procedures
• Vendor risk management program

Measures for Certification/Assurance of Processes and Products

• Industry-standard security frameworks and certifications (as obtained)
• Regular third-party security audits
• Compliance assessments

Annex III: List of Sub-processors (for SCCs)

The current list of Sub-processors is maintained at winyourdata.com/subprocessors and includes:

• Google Cloud Platform / Firebase: Cloud hosting, database, authentication, and related infrastructure services
• Stripe: Payment processing and subscription management
• JOBTREAD: Construction management data integration
• DigitalOcean: Web application hosting and cloud infrastructure
• Resend: Transactional email delivery
• Kit: Email marketing and campaign management

Additional Sub-processors may be added as listed at winyourdata.com/subprocessors with appropriate notice as required by this DPA.